# Implement Phase 5.1: Advanced Authentication

I will implement **Extended OAuth Providers** and **Enterprise SSO (OIDC)**.

## 1. Extended OAuth Providers
**Goal**: Add support for Azure (Microsoft), GitLab, Bitbucket, and Discord.

-   **Config**: Update `common/src/config.rs` to read new env vars:
    -   `AZURE_CLIENT_ID` / `_SECRET`
    -   `GITLAB_CLIENT_ID` / `_SECRET`
    -   `BITBUCKET_CLIENT_ID` / `_SECRET`
    -   `DISCORD_CLIENT_ID` / `_SECRET`
-   **Implementation**: Update `auth/src/oauth.rs`:
    -   Extend `get_client` with new provider URLs.
    -   Extend `fetch_user_profile` with new user info endpoints and parsing logic.

## 2. Enterprise SSO (OIDC)
**Goal**: Implement OIDC support for enterprise identity providers (e.g., Okta, Auth0, Google Workspace).

-   **Dependencies**: Add `openidconnect` to `auth/Cargo.toml`.
-   **Schema**: Create `auth.sso_providers` table to store OIDC config per domain/project.
    -   Columns: `id`, `resource_id`, `domain`, `oidc_issuer_url`, `oidc_client_id`, `oidc_client_secret`, `created_at`, `updated_at`.
-   **Implementation**: Create `auth/src/sso.rs`.
    -   `POST /auth/v1/sso`: Accepts `domain` or `provider_id`. Discovers OIDC config, generates authorization URL.
    -   `GET /auth/v1/sso/callback`: Handles the code exchange, fetches user info, creates/links user.

## Execution Steps
1.  **Update Config**: Modify `common/src/config.rs`.
2.  **Add Dependencies**: Update `auth/Cargo.toml`.
3.  **Schema Migration**: Create `migrations/20260312000001_add_sso.sql`.
4.  **Implement OAuth**: Update `auth/src/oauth.rs`.
5.  **Implement SSO**: Create `auth/src/sso.rs`.
6.  **Register Routes**: Update `auth/src/lib.rs`.